News items for tag linux - Koos van den Hout

2019-02-05 Starting tcpdump causes bluetooth drivers to be loaded .. on a virtual machine 2 months ago
I noticed something really weird in the kernel log of a virtual machine:
Feb  5 11:46:54 server kernel: [2936066.990621] Bluetooth: Core ver 2.22
Feb  5 11:46:54 server kernel: [2936067.005355] NET: Registered protocol family 31
Feb  5 11:46:54 server kernel: [2936067.005901] Bluetooth: HCI device and connection manager initialized
Feb  5 11:46:54 server kernel: [2936067.006404] Bluetooth: HCI socket layer initialized
Feb  5 11:46:54 server kernel: [2936067.006838] Bluetooth: L2CAP socket layer initialized
Feb  5 11:46:54 server kernel: [2936067.007280] Bluetooth: SCO socket layer initialized
Feb  5 11:46:54 server kernel: [2936067.009650] Netfilter messages via NETLINK v0.30.
Feb  5 11:46:54 server kernel: [2936067.056017] device eth0 entered promiscuous mode
The last two are the giveaway about what really happened: I started tcpdump to debug a problem. But I did not expect (and do not need) bluetooth drivers on a virtual machine, it will never have access to a bluetooth dongle.

After setting up /etc/modprobe.d/local-config.conf with
blacklist bluetooth
tcpdump still works fine and no bluetooth drivers are loaded.

Update: Most recommendations are to disable the bluetooth network family:
alias net-pf-31 off

Tags: ,
2019-01-30 Misconfigured backups 2 months ago
I have "always" been running amanda for backups on linux. Or rather, I can't find any indication when I started doing that several homeserver versions ago, it's just still running.

Or it was running, but first I had to tackle a hardware problem: all SCSI controllers I have are PCI and the newest homeserver has no PCI slots. So I searched for a solution. The first solution was to try using the desktop system for the tapedrive, but the powersupply in that system has no 4-lead Molex connectors so I can't connect the tapedrive.

For now I use an old 'test' system with some software upgrades to run amanda and shut it down when all backups are done and flushed to tape. But amanda had a serious problem writing stuff to tape. With some debugging this turned out to be caused by the variable blocksize I used on the previous systems, with
# mt -f /dev/nst0 setblk 0
and I can't even find out why this seemed like a good idea years ago. But now amanda really wants to use 32768 byte blocks and filled a DDS-3 tape (12 Gb without compression) with about 1.8 Gb of data before reaching the end of the tape.

Why this default has changed isn't clear to me, but I found a way to re-initialize the tapes so the backups fit again. Based on block size mismatch - backup central I created a script to do this. I did not get the error about the blocksize, but I searched specifically for 'amanda 3.3.6 blocksize'.
#!/bin/sh

if [ "$1" = "" ]; then
        echo "Usage: $0 <tapename>"
fi

mt -f /dev/nst0 setblk 32768
mt -f /dev/nst0 compression 1
mt -f /dev/nst0 rewind
dd if=/dev/zero of=/dev/nst0 bs=32768 count=200
mt -f /dev/nst0 setblk 32768
mt -f /dev/nst0 compression 1
mt -f /dev/nst0 rewind
amlabel -f kzdoos $1
And now normal amounts of data fit on a tape again. I just have to initialize every tape before using it for the first time in this setup.

Tags: , ,
2019-01-02 Migration to new server finished 3 months ago
More than a year after I started migrating from homeserver greenblatt to the new homeserver conway the last migration is done and the old server is switched off. The new server is in a good position in the rack, and the old server is still taking up space in there too. It has taken a lot of time, I decided to stop some websites and other unused services in the process and my energy levels haven't always been that great. I have improved several things in the process, which also caused delays.

One thing hasn't changed (which I did expect to change): the power usage of the new server isn't lower! The UPS tells me the output load is about the same. Ok, the new hardware has a lot more CPU power, a lot more memory and faster storage, but I expected the poweruse to go down a bit.

Tags: , , ,
2019-01-01 Switching to 1-wire over USB and forwarding a USB device to a guest VM 3 months ago
The new hardware for the homeserver has no external serial ports, so I could not use the old serial / 1-wire interface that has been doing the home monitoring for years. But I had a spare USB DS2490 interface. So I plugged this into the server and wanted to forward the USB device to the guest VM that runs all the monitoring.

First I had to blacklist all the loaded drivers to have the device available to kvm as-is. In /etc/modprobe.d/local-config.conf:
blacklist w1_smem
blacklist ds2490
blacklist wire
Next step was to attach the device to the right vm. I followed the hints at How to auto-hotplug usb devices to libvirt VMs (Update 1) and edited the definition for the vm to get the host device like:
    <hostdev mode='subsystem' type='usb' managed='no'>
      <source>
        <vendor id='0x04fa'/>
        <product id='0x2490'/>
      </source>
    </hostdev>
But that did not get the usb device attached to the running VM and I did not feel like rebooting it. So I created an extra file with the above and did a
root@conway:~# virsh attach-device --live gosper /tmp/onewire.xml 
Device attached successfully
And then I had to do the same blacklisting as above in the virtual machine. After doing that I detached and attached it from the VM without touching it with simply:
root@conway:~# virsh detach-device --live gosper /tmp/onewire.xml 
Device detached successfully

root@conway:~# virsh attach-device --live gosper /tmp/onewire.xml 
Device attached successfully
After that I had to set up rules for the telemetry user to have enough access to the USB device:
#
SUBSYSTEMS=="usb", GOTO="usb_w1_start"
GOTO="usb_w1_end"
LABEL="usb_w1_start"
ATTRS{idVendor}=="04fa", ATTRS{idProduct}=="2490", GROUP="telemetry", MODE="0666"
LABEL="usb_w1_end"
And now it all works:
telemetry@gosper:~$ digitemp_DS2490 -a
DigiTemp v3.7.1 Copyright 1996-2015 by Brian C. Lane
GNU General Public License v2.0 - http://www.digitemp.com
Found DS2490 device #1 at 002/003
Jan 01 21:53:11 Sensor 10A8B16B0108005D C: 9.500000
Jan 01 21:53:12 Sensor 28627F560200002F C: 17.062500
Jan 01 21:53:14 Sensor 10BC428A010800F4 C: 19.562500
Jan 01 21:53:15 Sensor 1011756B010800F1 C: 11.937500
Jan 01 21:53:16 Sensor 10B59F6B01080016 C: 16.312500
Jan 01 21:53:17 Sensor 1073B06B010800AC C: 18.687500
Jan 01 21:53:18 Sensor 102B2E8A010800F0 C: 29.250000
Jan 01 21:53:20 Sensor 28EF71560200002D C: 16.687500
Working house temperatures again!

Tags: , , , ,
2018-12-30 New GcmWin for Linux 3 months ago
The author of GcmWin for Linux responded quickly to my report of being unable to install gcmwin after installing a new Linux version and made a new version available which does run fine on Ubuntu 18.04. Again my thanks to Roger Hedin SM3GSJ for making GcmWin available.

Tags: , ,
2018-12-30 First annoyance with systemd on thompson 3 months ago
On reinstalling thompson I was not sure whether to pick ubuntu (with lots of package support for amateur radio) or devuan (without systemd). I chose ubuntu to keep access to lots of amateur radio packages but as expected the first systemd problem already got me. Names in the internal network with RFC1918 addresses weren't resolvable.

After some searching I found out systemd-resolved had decided the last nameserver advertised via IPv6 was the one to use. As I could not find a lot of information on how to do the ordering I just decided to kick it all out and switch to normal resolving. Some searching found How to disable systemd-resolved in Ubuntu? - ask ubuntu which has the right steps. Back to somewhat normal, the next step is to convince NetworkManager to use IPv6 resolving before IPv4.

Tags: , , ,
2018-12-23 I upgraded the 'radio workstation' thompson 3 months ago
As mentioned in New 2 meter distance: 506 kilometers I was still running the old wsjt-x because a newer version requires a newer Linux environment. With a bit of time in the christmas holidays available and more and more things depending on this upgrade I ordered a new disk from Azerty so the reinstallation would be easier. The old linux installation on the radio workstation was several Ubuntu versions old, it was still a 32-bit installation because of earlier hardware compatibility issues and something in D-Bus communication gave lots of errors at bootup, so I expected another upgrade to give me an unavailable system.

The new disk came faster than expected, and I did an install with Xubuntu because I'm ok with the Xfce environment.

One problem is back: the system starts with the two monitors swapped and after the screensaver kicks in the monitors somehow end up in mirrored mode.

And Gcmwin for linux failed in the upgrade since it depends on older libraries. Already reported to the author.

Lots of upgraded software, the most important ones in amateur radio are CQRLOG which showed the well-known MySQL problems until I used the version from the CQRLOG ppa. Everything now works fine and all the earlier confirmations of PSK contacts have been imported. And the trigger that all started this upgrade WSJT-X has been upgraded using the WSJTX General Availability Release ppa.

Tags: , ,
2018-12-19 New 2 meter distance: 506 kilometers 4 months ago
Today I had a listen on the 2 meter band with FT8 from wsjt-x 1.9.1, which is currently the near-ancient version but I can't upgrade yet (wsjt-x 2.0.0 requires newer Qt libraries which require a newer linux environment).

But I decoded some signals including a new callsign from Germany. It's always nice to work a new callsign so I answered it and the contact was made after a few tries. Only when I checked the gridsquare and the map I saw that DK1FG is a new 2 meter band distance record for me : 506 kilometers. Looking at that qrz page makes clear why that was possible: on that end 8 stacked 12 element antennes are available for 2 meter DX.

Update 2018-12-21: I just saw wsjt-x packages for other ubuntu versions are available in the WSJTX General Availability Release ppa but the 'oldest' Ubuntu version supported is Ubuntu 16.04.5 LTS 'Xenial'.

Tags: , , ,
2018-11-28 Using mice adopted to my hands 4 months ago
The old rsi problem was acting up again, just like I had RSI in 1999.

One of the things I now did was add a left-side mouse on the linux desktop at home. I have used a left-side mouse for a number of years on a linux desktop and used the instructions from the xmodmap manpage:
       Many  pointers are designed such that the first button is pressed using
       the index finger of the right hand.  People who  are  left-handed  fre‐
       quently  find  that  it is more comfortable to reverse the button codes
       that get generated so that the primary  button  is  pressed  using  the
       index  finger  of  the  left  hand.   This  could be done on a 3 button
       pointer as follows:
       %  xmodmap -e "pointer = 3 2 1"
But I now have two USB mice, one with a forward/backward button and a clearly right-handed design and one simple one on the left. And it is possible to selectively swap mouse buttons on only one input device with xinput.

The list of all inputs:
koos@thompson:~$ xinput list
⎡ Virtual core pointer                          id=2    [master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer                id=4    [slave  pointer  (2)]
⎜   ↳ Logitech USB-PS/2 Optical Mouse           id=9    [slave  pointer  (2)]
⎜   ↳ Logitech Optical USB Mouse                id=10   [slave  pointer  (2)]
⎣ Virtual core keyboard                         id=3    [master keyboard (2)]
    ↳ Virtual core XTEST keyboard               id=5    [slave  keyboard (3)]
    ↳ Power Button                              id=6    [slave  keyboard (3)]
    ↳ Power Button                              id=7    [slave  keyboard (3)]
    ↳ Burr-Brown from TI               USB Audio CODEC  id=8    [slave  keyboard (3)]
    ↳ VIA Technologies Inc. USB Audio Device    id=11   [slave  keyboard (3)]
    ↳ daskeyboard                               id=12   [slave  keyboard (3)]
    ↳ daskeyboard                               id=13   [slave  keyboard (3)]
    ↳ Dell WMI hotkeys                          id=14   [slave  keyboard (3)]
Setting the button order happens with xinput set-button-map which needs an ID. Solution in .xsession:
xinput set-button-map $(xinput list --id-only "Logitech Optical USB Mouse") 3 2 1

Oh, and in that other operating system I use (Windows) one of the problems is the user can't set mouse button order per device. And technical specifications of left-handed mice do not list whether the buttons are swapped in hardware.

Tags: , ,
2018-11-23 Automatic ls colours can be slow 4 months ago
I noticed certain commands taking a while to start, including a simple ls. At last I got annoyed enough to diagnose the whole situation and found out the problem is the combination of symbolic links in the listed directory pointing to filesystems behind automounter, one mounted filesystem coming from a NAS with sleeping disk and ls --color doing a stat() on the target of a symbolic link to find the type of the target file to be able to select a colour.

My solution: find the source of the alias and disable it.

Tags: , ,
2018-11-16 Changing the way I listen to podcasts 5 months ago
I bought the iRiver ifp-795 in May 2005 to listen to podcasts, mostly while cycling to and from work.

But I need to find time to download new episodes on the laptop and copy them in the right order to the storage of the mp3 player. There is an another device which can do all this and can play the mp3 files too: my android smartphone.

So I looked for an Android podcast player which can deal with podcast feeds not in its own directory. After reading an overview article and browsing the play store I found RadioPublic and managed to add my favourite podcasts.

Adding a feed it didn't know was a bit harder than expected. I want to listen to The ICQ Amateur / Ham Radio Podcast but it wasn't listed. So I tried to add the RSS feed myself by typing the URL which failed. Adding it only worked out after I opened the RSS feed in my browser on android and copied and pasted the url to the 'search' field.

The application has a nice playlist and I can order the downloaded episodes in such a way that I don't get several episodes from the same show in a row.

Ok, I found one downside: it seems impossible to add an mp3 downloaded via the browser to the RadioPublic playlist.

Tags: , ,
2018-10-12 Serious slowness with rrdgraph from rrdtool 6 months ago
One of the things still needing migrating is the NTP server stats which obviously uses rrdtool. Because I want to keep the history I migrated the datasets with:
/usr/local/rrdtool/bin/rrdtool dump ntpvals-stardate.cs.uu.nl.rrd \
| ssh newhost /usr/bin/rrdtool restore -f - ntpvals-stardate.cs.uu.nl.rrd
And then create a graph of the plloffset for example using:
/usr/bin/rrdtool graph /tmp/plloffset-stardate.cs.uu.nl-24hours.png \
--title "stardate.cs.uu.nl pll offset (last 24 hours)" --imginfo \
'<img src="tmpgraphs/%s" WIDTH="%lu" HEIGHT="%lu" alt="Graph">' \
--start -24hours --end now --vertical-label="Seconds" --color BACK#0000FF \
--color CANVAS#c0e5ff --color FONT#ffffff --color GRID#ffffff \
--color MGRID#ffffff --alt-autoscale --imgformat PNG --lazy \
DEF:offset=ntpvals-stardate.cs.uu.nl.rrd:plloffset:AVERAGE \
CDEF:wipeout=offset,UN,INF,UNKN,IF CDEF:wipeoutn=wipeout,-1,* \
LINE1:offset#000000:"Offset\:" \
GPRINT:offset:LAST:"Current\:%.3lf%s" \
GPRINT:offset:MIN:"Min\:%.3lf%S" \
GPRINT:offset:MAX:"Max\:%.3lf%S" \
GPRINT:offset:AVERAGE:"Average\:%.3lf%S" \
AREA:wipeout#e0e0e0 AREA:wipeoutn#e0e0e0
But on the old server this takes 0.026 seconds, on the new server 3 minutes and 47.46 seconds. No idea what is happening, strace shows nothing strange and rrdtool uses 1 cpu at 100% all that time.
Read the rest of Serious slowness with rrdgraph from rrdtool

Tags: , , ,
2018-10-03 Seeing the same names in logcheck mails every hour 6 months ago
I use the logcheck package to monitor for unexpected log entries. Since upgrading to the new homeserver conway I noticed DNSSEC failures coming back regularly, even at weird times of the night while the domain names seemed related to services we sometimes interact with during the day. To search deeper I enabled query logging on DNS (with a short retention period) in order to find the source.

Eventually I found it: the DNSSEC failures came at the time the mail from logcheck was delivered, because it mentioned domain names that cause a DNSSEC failure. So the way to 'fix' this problem and avoid similar other problems was to whitelist logcheck mail.

Update 2018-10-05: That only helps when enabling the Mail::SpamAssassin::Plugin::Shortcircuit plugin and enabling the USER_IN_WHITELIST shortcircuit.

Update 2018-10-07: Even with whitelist and shortcircuit I still see queries for domain names in the logcheck mails. Call to spamassassin is now changed...

Now, once again...this time with FEEwing

Tags: , ,
2018-09-26 Made the big bang to the new homeserver 6 months ago
So for months and months I had hardware ready for the new homeserver, I was testing bits and pieces in the new environment and I still did not get around to making the big bang. Part of the time the new system was running and using electricity.

And a few weeks ago I had time for the big bang and forgot to mention it!

So one free day I just did the last sync of homedirectories and started migrating all services in a big bang. No more but, if, when, is it done yet. It's a homeserver, not a complete operational datacenter. Although with everything running it sometimes does look that way!

The new setup, more completely documented at Building - and maintaining home server conway 2017 is now running almost all tasks. The main migration was homedirectories, mail, news, webservers. Things are now split over several virtual machines and the base virtual machine running kvm virtual machines is as minimal as possible.

One thing I just noticed is that the new virtual machine with pppoe kernel mode drivers and updated software is doing great: the bigger MTU is working by default and kernel mode pppoe does not show up as using CPU when a 50 mbit download is active. I looked at CPU usage with htop and at the network traffic with iptraf and the result was that iptraf was using the most cpu.

There are still some things left to migrate, including a few public websites that currently give 50x errors. But I will find the time eventually.

Tags: , , ,
2018-09-24 After 25 years with sendmail there was still something to improve 6 months ago
I still like running sendmail on my own systems. But sendmail evolves with time and my configuration does improve slightly sometimes, such as on the introduction of authenticated smtp with secondary passwords.

After the recent upgrades to the home server there is a new mail server with some other new details and suddenly other systems at home could not relay. A bit of searching found Best practice: sendmail and SMTP auth with the right flags for the DAEMON_OPTIONS to only offer authentication on port 587 (submission).

I noticed the local systems tried relaying via port 587 so I changed this to port 25 where IP-based relaying is allowed. No idea why I set this up to use the port 587 when I set it up previously.

And yes, I checked it, I started with sendmail in 1993, so 25 years of sendmail on port 25. I did start with writing my own sendmail.cf rules but I switched to .mc based configurations.

Tags: , , ,
2018-09-21 Setting my bash prompt PS1 to remind me I'm in screen 7 months ago
With some systems constantly running screen and others not I started to get confused. Solution: change the visual indications in the prompt inside screen.

I decided to just change the username color in PS1 when I'm in screen. So now:
PS1='${STY:+\[\e[1;36m\]}\u${STY:+\[\e[0m\]}@\h:\w\$ '
In bash, ${STY:+..} gives output when shell variable STY is set. So I add the color set/unset commands to the prompt when STY, a typical screen variable is set. The result is dark cyan, a color that works (for me) on my normal light-grey background xterm/putty sessions.

Oh, and for root things are different:
PS1='\[\e[1;91m\]\u@\h\[\e[0m\]:\w\$ '
Which gives a light red user@hostname.

In the above \e causes an escape to be printed. Wrapping parts of the prompt between \[ and \] causes bash to ignore those for counting the length of the prompt so it doesn't get confused on redrawing the prompt when editing the commandline.

Samples of colours and other formatting at FLOZz' MISC » bash:tip_colors_and_formatting.

Tags: , ,
2018-09-06 Weird interface names in snmp due to virtio driver 7 months ago
I want to measure network traffic so I decided to copy most of my rrdtool setup from the old home server.

But with virtio network cards I have a confused snmpd:
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: Red Hat, Inc Device 0001
IF-MIB::ifDescr.3 = STRING: Red Hat, Inc Device 0001
IF-MIB::ifDescr.4 = STRING: Red Hat, Inc Device 0001
IF-MIB::ifDescr.5 = STRING: dummy0
IF-MIB::ifDescr.6 = STRING: dumhost
IF-MIB::ifDescr.7 = STRING: dumdh6
Fix: go for the IF-MIB::ifName snmp variables, found in oid 1.3.6.1.2.1.31.1.1.1:
IF-MIB::ifName.1 = STRING: lo
IF-MIB::ifName.2 = STRING: eth0
IF-MIB::ifName.3 = STRING: eth1
IF-MIB::ifName.4 = STRING: eth2
IF-MIB::ifName.5 = STRING: dummy0
IF-MIB::ifName.6 = STRING: dumhost
IF-MIB::ifName.7 = STRING: dumdh6
Those are easier to discern, now my snmp scripts are gathering data again.

Tags: , , ,
2018-08-17 Trying (and failing) to correlate security logs 8 months ago
Since activating sendmail authentication with secondary passwords I see a number of attempts to guess credentials to send mail via my system. This is not very surprising, given the constant attack levels on the wider Internet.

For work I am looking at log correlation and monitoring and with that in mind I noted that finding the right information from sendmail where and when the attempt came from is quite hard since there are several processes busy and it's hard to correlate the logging. The failed attempt is logged by saslauthd in /var/log/auth.log:
Aug 16 12:28:57 greenblatt saslauthd[32648]: pam_unix(smtp:auth): check pass; user unknown
Aug 16 12:28:57 greenblatt saslauthd[32648]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 16 12:28:59 greenblatt saslauthd[32648]: do_auth         : auth failure: [user=monster] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error]
Aug 16 12:29:00 greenblatt saslauthd[32649]: pam_unix(smtp:auth): check pass; user unknown
Aug 16 12:29:00 greenblatt saslauthd[32649]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 16 12:29:02 greenblatt saslauthd[32649]: do_auth         : auth failure: [user=monster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
This is probably related to this sendmail log information:
Aug 16 12:28:56 greenblatt sm-mta[20716]: STARTTLS=server, relay=62.82.128.182.static.user.indesat.com [62.82.128.182] (may be forged), version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Aug 16 12:29:02 greenblatt sm-mta[20716]: w7GASspx020716: 62.82.128.182.static.user.indesat.com [62.82.128.182] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v6
But I can't be sure as there are multiple 'did not issue MAIL/EXPN/VRFY/ETRN' messages in the logs. So I can't build a fail2ban rule based on this.

Tags: , , ,
2018-07-27 Automating Let's Encrypt certificates with DNS-01 protocol 8 months ago
Encrypt all the things meme After thoroughly automating Let's Encrypt certificate renewal and installation I wanted to get the same level of automation for systems that do not expose an http service to the outside world. So that means the DNS-01 challenge within the ACME protocol has to be used.

I found out dehydrated Let's Encrypt certificate management supports DNS-01 and I found a sample on how to do this with bind9 at Example hook script using Dynamic DNS update utility for dns-01 challenge which looks like it can do the job.

It took me a few failed tries to find out that if I want a certificate for the name turing.idefix.net that it will request the TXT record for _acme-challenge.turing.idefix.net to make me prove that I have control over the right bit of DNS. I first assumed something in _acme-challenge.idefix.net which turned out wrong. So the bind9 config in /etc/bind/named.conf.local has:
zone "_acme-challenge.turing.idefix.net" {
        type master;
        file "/var/cache/bind/_acme-challenge.turing.idefix.net-zone";
        masterfile-format text;
        allow-update { key "acmekey-turing"; };
        allow-query { any; };
        allow-transfer {
                localnetwork;
        };
};
And in the idefix.net zone there is just one delegation:
_acme-challenge.turing  IN      NS      ns2
I created and used a dnskey with something like:
# dnssec-keygen -r /dev/random -a hmac-sha512 -b 128 -n HOST acmekey-turing
Kacmekey-turing.+157+53887
This gives 2 files, both with the right secret:
# ls Kacmekey-turing.+157+53887.*
Kacmekey-turing.+157+53887.key  Kacmekey-turing.+157+53887.private
# cat Kacmekey-turing.+157+53887.key
acmekey-turing. IN KEY 512 3 157 c2V0ZWMgYXN0cm9ub215
and configured it in /etc/bind/named.conf.options:
key "acmekey-turing" {
        algorithm hmac-md5;
        secret "c2V0ZWMgYXN0cm9ub215";
};
And now I can request a key for turing.idefix.net and use it to generate sendmail certificates. And the net result:
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256          
        verify=OK)                                                              
SMTP between systems with TLS working and good certificates.

Tags: , , ,
2018-07-19 Configuring sendmail authentication like imaps access to allow secondary passwords 9 months ago
I needed to configure sendmail authenticated access because I want a strict SPF record for idefix.net which means I always have to make outgoing mail originate from the right server.

For the sendmail authenticated smtp bit I used How to setup and test SMTP AUTH within Sendmail with some configuration details from Setting up SMTP AUTH with sendmail and Cyrus-SASL. To get this running saslauthd is needed to get authentication at all and I decided to let it use the pam authentication mechanism. The relevant part of sendmail.mc:
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confAUTH_OPTIONS', `A p')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
And now I can login to sendmail only in an encrypted session. And due to sendmail and other services now having valid certificates I can set up all devices to fully check the certificate so I make it difficult to intercept this password.

And after I got that working I decided I wanted 'secondary passwords' just like I configured extra passwords for IMAPS access so I set up /etc/pam.d/smtp to allow other passwords than the unix password and restrict access to the right class of users.
auth    required    pam_succeed_if.so quiet user ingroup users
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
auth    sufficient  pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
Now I can set up my devices that insist on saving the password for outgoing smtp and if it ever gets compromised I just have to change that password without it biting me too hard.
Read the rest of Configuring sendmail authentication like imaps access to allow secondary passwords

Tags: , , ,
  Older news items for tag linux ⇒
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews